You may be obliged under the GDPR to appoint an DPO (an internal privacy supervisor). If this is this the case for your organization, what do you have to do for this?
Under Article 37 of the GDPR, an DPO is required in three situations:
Public authorities and public organizations
Public authorities and public organizations are always obliged to appoint an DPO, regardless of the type of data they process. This may concern the national government, municipalities and provinces, but also, for example, healthcare and educational institutions. The compulsory appointment of an DPO does not apply to courts.
There is an obligation to appoint an DPO for organizations that monitor individuals or track their activities on a large scale as their core activities. This may involve, for example, profiling people to make risk assessments, camera surveillance, personnel monitoring systems and monitoring of a person’s health through wearables.
Relevant to this are the number of people who follow an organization, the amount of data that this organization processes and how long the organization follows people.
Special personal data
Organizations are also required to appoint an DPO if they process special personal data on a large scale and this is a core activity. Special personal data are, for example, data about a person’s health, race, political opinion, religious conviction or criminal record.
On 31 May j.l. the Dutch Personal Data Authority (AP) came up with more clarity about large-scale processing in healthcare. In case of large-scale processing, the GDPR requires that an DPO. For GP (general practitioner) practices and institutions for specialist medical care, other than hospitals, the AP considers processing on a large scale in more than 10,000 patients. The processing of personal data of hospitals, pharmacies (not a solist working care provider), GPs and care groups is always large-scale.